Purchase Verification

Hi everyone,

I am going to submit my first app in a few days. I hope it’ll get approved (I just hope :slight_smile: ).

To make a verification system, I need some credentials of the buyer. Can you please tell me if there is any rules and regulation about what data I can ask for purchase verification?

As far I have learned the Envato API system, I can make a verify if I get the buyer’s email, purchase code and a personal token. Is it allowed to collect this information from the buyer?

Thanks a lot.

you will not be able to know buyer email id from envato api because envato don’t share personal info to anyone. using verification systems you can store data which you will get from the api. Thanks

1 Like

If you want to handle verification on your own server, then all you need is their purchase code. You should use your own personal token to verify those purchase codes (see my guide: How to verify a purchase code using the Envato API)

If you’re building the verification purely into the item (without communicating with your own server), then you would ask the user for a personal token. You don’t need their purchase code or email. You can get both of those from the API with the personal token. Do not send the personal tokens to your server/API. They should remain local, because they are like passwords into the user’s account.


Thanks for the reply.

Your post about the verification system is very precise and clear. Thank you again for that.

Yes, I know that using only token, it’s possible to identify user email, purchases, etc (if the token has proper permission). But I don’t want the verification system to be handled by the application itself, because it can be altered easily.

I will implement your idea in my verification system.
Thank you very much. <3

1 Like

Can you please tell me if I should worry about if the user gives me someone else’s purchase code?

If I get the buyer username, I can match the given username with the purchase information, to prove that the person originally owns the purchase code? Or anything should I do to prevent it?

Another thing, I will send the purchase code to my server using AJAX, so if I include the buyers application URL with the purchase token and send them to my server, will it be something illegal?


No – that’s not an ideal direction to fight abuse from. Instead, you can implement limits on activation (i.e. if a purchase code is already in use, deny the activation).

I don’t recommend this for two reasons.

  1. It will make the verification process slightly more annoying for users.
  2. It won’t have any meaningful impact. It’s easy to share a username along with a purchase code. Purchase codes can already be traced to an account by Envato Support in case of abuse, so the username is ultimately pointless.

Yes, you can send the URL. This is a very common practice among authors. You can use this to implement the activation limits described above. If you go that route, then:

  • Make sure your activation limits don’t block development installations (such as on localhost or a development subdomain, e.g. test.site.com). Many authors allow two simultaneous installations for this reason.

  • Make sure the user can also deactivate an old installation, in case they are moving to a new domain and/or reinstalling at a new URL.


I was going to ask you about “activation limit”. But you answered it before I asked :stuck_out_tongue:

Your posts are very precise and clear! I understand all the points after one read!

You are a hero!
Thank you very much. :heart: